From e28f67ea6f2a4b17643b176486975b71468fb2fc Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 9 May 2022 09:37:32 -0600 Subject: [PATCH] ips-state: test flow pass for ip-only rule with negation Ticket: #5361 --- tests/ips-state-1/README.md | 13 ++++++++++ tests/ips-state-1/input.pcap | Bin 0 -> 13966 bytes tests/ips-state-1/test.rules | 2 ++ tests/ips-state-1/test.yaml | 45 +++++++++++++++++++++++++++++++++++ 4 files changed, 60 insertions(+) create mode 100644 tests/ips-state-1/README.md create mode 100644 tests/ips-state-1/input.pcap create mode 100644 tests/ips-state-1/test.rules create mode 100644 tests/ips-state-1/test.yaml diff --git a/tests/ips-state-1/README.md b/tests/ips-state-1/README.md new file mode 100644 index 000000000..61eb27126 --- /dev/null +++ b/tests/ips-state-1/README.md @@ -0,0 +1,13 @@ +## PCAP + +This PCAP contains 3 flows. 2 are http and one is TLS. The HTTP flows should +be full passed with no alerts, while the TLS flow should be dropped. + +## Current Observations + +- HTTP response packets are being logged as dropped, however the transaction is + logged suggesting the drop is only in logging only, but not actually + occurring. + +- All the TLS packets apear to be getting dropped, but `flow.action` is never + set to true. diff --git a/tests/ips-state-1/input.pcap b/tests/ips-state-1/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..90f36100be68cf25a971800045ad3c452955a63f GIT binary patch literal 13966 zc-qyQbyQW|yYDyM-3Zd%-7VcIrP3|k(x7y=lF}h9DIp=gfkGVip5FMcOP9uJAV;e|M%|JI> zpgI1REHqqa1ESxNu}7f+qCl$XeVW;qJ#IC({-HS)NZ;{61v_ni1Jnq1t5+371`*kT z!~`HM;XY!}vga-F<-J5)u+v10--(jqYQ#*$Qfg{SOe~BnNbpiN4vxIUj>Zm-FWtJ%GjO`gjOpUF9-!OEtw_@UA45ihZ-z9T&`Gb^!( ztvwLW%1X@4!OP0d%gRP9DX)eEuWD@XY;4ad| zIC(i(d0BY=IR^>e$=pbQncCjQ#*v2D^grL*+c?=e-2Ho-dlXxkhx(k?Z4YVrqlX;C z?`?Jf``k$r!ml3k3Y0An(c)pE_bsvcULqQh2>&-x>HNX|L4VsnFn+J*W(SaZ=z|6r zX@>h%&3X_OL^L^nP@~VS#-=|s9s;RfK&@_U`=v1rM3n*(Grtfv3;n1rUqQFZ)JzZtLs z(eKDjK=OZ|1z+x4%`ksxRs+)KL4LCVeV2tJWe^!e3{61WkfQZ--VBkPQ2m1*D0Xq_$wMMsut7AGI0!a7@ON$%wae9{9+^gE@gKZ{h z4{?~7ilVqhEzHfK?{;<+QTM>_b-IcqPm?&i#Ki-v+_LkP=BU-x=a$n6HX508Wkpf| zEIJzgEJ-_vI6C^@5v>}3Ct?Gu;tuTc&JYkL*6lqVEX)i-hBi|E@#>pJCG{wWHcJxH zDQN-07`~AIV@JgR4q1%AVuM3K0&9F*;X(yDuVcqih*l@;hHEzb8iPI0g)U}8CP0O6 zKtL706DBY`7#I%lFL42j+pBji)c_ugnUdJC$9a1=jaJhu^`T+48xoonO;pM9(w+Zj>xdXg# zE>lW_!{2$XpuOd*wfG!#E_3KEeaDT436rKpz0Y4EHCkqtzAJRR3C#_+ozJkMM9i?_ z@#Af5;MULYi!^NY?mpr_;j%YW85Ynn2TXyTkG*d^&f%oYJuA)rVe0-&iO|r>!fRng z$ZxdVufcf0L~U*3!`H3-)}bM=qb8lYm5}Of1qc-1Ylq(N*T)EeTICpVVvS&W2~xpLY4srG#&)LfcRj!8gyzZ=YGEJ<8Bq=V3<;Ou>o1+gxkSyY%tlQ^ zm2+-<1$9pQl-bCeiD|h#o}kM3y^cXYDd`bL=xld)gC$ShbzEB_eN1DapAhL>%RE&3 zhm2hQ3KToCXL@$J7OTiNBw~sc2BI(9y@oF4k18-MUc<%!q~4^V<{-ee7edM_5ii|X zg-c*&$bnl~H`lP%x(kBl+z z1Pi3$mh$yci@xR_w35_*PG#sx-a=0c@z}%unBOTbRrB^+kGeudC-LTjc_hbCu{_r{ zM|@A+eEmDblSoRwink!jdO%jC777`qal<*S1^K-e;%q%pT zNfp|45joVe$Vza0mr(qkhS%|19)2m*V!vFR-ql+y3Yr1KiV&Qs z&)q{M*$O1#nIsrgn$M+Ew#uHFzzxQiQAYW#t-#qmHm=1Gp$KB=L-puENev$Mr!+E` zq4dOVe~Aa7n2K@`(mAMN9kbRKR`gX_V|(Pf6E6wXN>g&EQ-65k=a4=sN(eGFQRzEt zHVcIxJEinBb zrO~hP4mEXjAr`)DIA>lt=t@4Wor5x|nQuc;-C~a^W-E{>7{HdNWctxTNzH;k(K#1b z$SqVev_DS zhmXAb3mpP4h@`&%Ah_bM%*O0sj<@2>LBN)OlEG2Eai(+QO(HZGW zeTK0On7 z%CTddxGpx2#uLYh<8@Jw`VuXgh-d|MS=q|dXIdP5g;Cc%8p6O+v=tT8`7}y62k#cEpBn^MrNIo`J)*$9Z^g76qg!UGl3(%-S#6 z_9+%&g~zoyvnk3_mbzoI%sFPP(}LlaBbN@xUW()pX@Q(S?P2HdxOM)K-<|*B&7Jf6 zu>S7+-%F2)so=L}kM$v*1k|$ygiOAD3npI`mkqVkhAlqWnI@|o^GfcGci0yLR|ux$ z=C1ei^4gmA7;M%`FK_amNT8L;@{D1defVG+PImli=abvFN*YJZ5UZQh?+_Sk49oid zl+~Z<0qXJZ%wZE6 z%-2gj<_Jc+iA}L^tD#7@wpD3}`~I8bf>X z;SVo~?}KK6-U#$9lS6=0*%rCB-mWK0Sm6dS7+iBWLY3pI}YaY;ucv{cyTrp#hs0d}IN zx?e&JK@la}I-a%b?_xnbr&K(fQGru&`SH>7ArrYSaAZLtqoQvg3}(rC03Y3%DG()d zz{4q=ir%W@J5CT^xvDnke>r68m{Za(FV-vy8nRt%t)mu{at6ntWjEt+F@`(nAfZXB zNJ*6*?bf;}UAL@OMRPS>ug*x z6+UWX+Sjv!En?CU=igT(H9a1k$-c<>F#RTIX2NGP%Fu+sNbGR#C&cAbar6U^xOTxZ z=`xk!R^PJEsG`>`1PL5znhuTos~-Rv11JGGhAXO7>(?^8*oDR6j@mc1Xw%!i{Aqj{}0T`3X-4Ujoc% z$Ruq1#_rhGqR5|MS9#Cgk=>}_F*T-`Lmv~*YQv(q)lJgT6r^^sKg;xD^nA_`h!UV# z`hu!u9jPRTzCg&nm^t4eAlYh2{C&J!+w|L*h{KjQ)!dP2J=JIdyg$5~_RHxsw=9(N z!~~g$mz=gj8Yl;U4tC?q=BOPm*PAB94+mAcIuG(OnNUmg>eYPqly=x-Sh)Q0p$1-| zO0z6E(3anmpt}1Qfh}nulABK}TD#Ie;btDG-gA}AZ2(4wwS!*O+RrbXIz_syw(KD5 zCPyu8dYJk#{#py)&;;i!b$5gk|$vR)neCmnQwf)S@5 z=SFGNw4hWd>8IKtha@%JJx~YZw|F+U4aO{AdQLn|&|xM_he*AciDYKZhaMxBT}{Lj zPf}>U<^g*Z{fOG5p_cD!4Hk3VPbsB9O-tNk_{)ez43&ioXe;<+KjrryDm1QBZ&a0_ zeNQyeyBWD72XN}hjpn(Z7D#FOkOhxo%IQ8 zM>s<1B{&ej16QG^z~(w*b{1y7lmc*szj$q`>6P&_mbT3a0+S$faOU*9grH`ADmnQI zKc^(3acqdza+misL}(rN1U_4d^CDAq?%Y^WBH!t?^uf24_1?aGb4=evRZaj|u(+@w z-+6>WCrX+;Q2@yK`&f}4n(p%6PIsYxpPVvif!rT7>0g5QH97SJxj%@w@i39^mI(Pb z@rDsd+@I0=n|J{vjsQodk^4rcc9Ji*qtnLkqtgxJ?dXIHm>DwteRQhX(p#iL%a(22 zPlf9fY5Cf1T;-0GsOgD8e}i-Jy}3_(`U0Y?hCYkJWORt6a+gGwjKzlWO>%;z9`vZ9 zjR#iG;ODs@*NDVL@vVR%Y+_<_t(wTTShss~(A@ zeq%~XN#J@{aKj7rzGwx72Bq^mNsWK91}~riGAb=H&2Ve6F5mgX$?c z?M&n0R9T{1iT5*16HN*9*XZ3LM1aj>mqqz5q?p9d-)tPhB`ZEYYchF+#bZx??gw9n zwnLF>{q!@Y0>^2zVGN8|y3D82lW%B^TzouXUc(!9!8hNn>@CPnE_e|GUncXH`zcnO z5rz6lHJm1{`3GLnTzgNH!K{7GQp62$QPjR^d}iQ{9;MG-vrz8w<(tFPBnHcCeYXmp zT{oJi`8$lMFRi56;Hq;^>Ener)(^4SKeUBzn;^Qs6vsqy(B?BBtaM!0c`G{Wtc*nn z2E}~*R$2f7l__Gu_(jLU@^0u-O~z&aK5g%e9|qy4({mi>)uIU=N|uE61?g%74LR3A z!*yDL~ zN&&QBC9JbgYiX1+2`qd0VQmw%a;Yh%y6C+&xsEXeXmd*Y3Qfh5ZKqA%GZE5Z%+GcG zG`aTq(j79EO0~QNo21^1ysYL=QqlzFP9AZ6NE!P+MImM8>8j7W49l%X$jM1 zT(VJNpACRr}h2`4_ojH&XOK%m#q~83*7polgO^P_|S;zn`ElG_}`8@Y#%Az#q z^PBBfvZy#eoe$-kx{h%%te@~3M@(%n2Av}bUyo5aMj5PVB?OQrpZ+lZtKPcTe0#>beHY<+bm7~nYjIl1u+kXl?@kv z;lloS1puVqV?-qm9^B3v{L-04Nvy*8OPWVB_}R@h8<(wGahSwkF}5+{+vx2k6(8Zw z6Ka{~RWvUC2(0@qkj(f+Fnj>fe6f{do_i7OogyUto;^14NoiaSA)I2w-uVOQ#8Lu8*p%QG8FWizpcP0&nevA^v%~m)HH8RE ze)%*ahH80sX(1MUogKnTEuuhKgD+^80GznOM`Piws0S=rwlb}IGaY;-nbqJB;0L7n z-A8ov6#x;Rw%$v`1>1;Y`$hBx5&wOd#9_-E&W+n5P;V6;o<2S~*A#DT+I8Inp^u?q z!lHA{*D(TJ^8>rW&PAT1zVCI}zSVf&gd;de5v&*zz!s>+_C7@hzJj-kM*mQhe5Xjm z{&z(nEi`h4k(2N1&eAD<$W9ZLbe?mYW6CCnhS1?-2W{z~3Z=D%Z&r~rtZS5k;v)m& zI{;%l+!x>2SLinW;2-fj@8XxF{2ibECwveE*Gkpn;0>_Q_0sd=Pmk3$;#+c(lQWf4 zGGwR;ETX3#qt%%iu|$4$0ZE_)N-ze7H@;88Q(xg*3A2AlIKPvC<@UFP$C%hSv9#Wq zBhu>PfreDLfILPugZexkcL{#S>BS~cPy^LRH>@a){{}+3=}+D-JOl6t@Mq&0klen2!Nq_`V7sJawetV`DRv!9-6sy zzgY!|$s2$0p>5~wLtEG1Ze@T%fPyqY6YcT(U$-)!L4rWU3Lp`fnA_toq9sY!Em8Ph zBJk$O74sLd6+{FzkM$9q{~n>8HcOTEI}g&_g>)uED-na@*3Q@r)CmorV8 zFxg9&5HFsu#Ru0Tr><=IlpBe)An#&SIKJT9#@XHDjc zI_VbhNN&1rZG;r>X)^Xc-M;yDEOr1vDX2xglMfa}{5FM`f27a}*s4rWQAS;Ur7-WV zD07n!KKkmtom}+&k)zDJD^hmxuN)z2(Ff=~1CMw_=0_0tI^1D?5asb(*PIseHTO%x zsLUEg=7_p%?Jr3I2yaD42PCOuWc+o={S}MT6N^bwJ%rqM`YRJ94N5gFxp|r04xC7z z>uN3?^f=;UNfc_j;VJIRlbDE8ca^u#|L9vpF^c>6aY8Duvd53m-=x9AvQmFmj&Y!w z0WGtsps^7D?Rsuxs~IeR@-~AshBHUO;aolS#}Vs8z~ox}>{hoyjZX1o2B!W4%z<&5{9*AVw(#2AOUEHK%Re%s;j5W6 zMhr8YJXCx&;ySJcsMtaZQCP9uhK!wJk*=51(g+ZenMDL=O2ZhuQhII3mr{7Gf9fN= z;By-ilTf#bK@9!s*Hc-6!x|r;l2v5fKV!mwnm(AdZ|k?e>-mJbkHyzK&RVyUlTtx;DYExV! zV#CBlzL330=p3hulHW)?MjUGRZm^x<5gm796a5q^Rl7^cpkNq}C?fQfU_I&$MZTsn z##D;lQ==h@6GC+&hG0WFF7}e2FWyM0S00^6fX8PEC=?T?onjNNPa~r_?)&!0hqCxWo{7x5PxttDy}3T;!|Pci`4a0S zL}oADLLT{v$3g^#Y~|a_fm((t%CM{SCvu)Y)fz{p>K4Uf;XNdp8&8gy&bDSW$syO2 zk`>uG7WDl|JwHXhrgJ-KAdx9e)!GIa_$z4_KcTt#I`XXiwFb(QFPr%{zOF-Kt6F0N z@K*uTo$xgWF)N$sj3sfyr?|K;+ZLLH+|WpEcP4zS(&sRw9?|3*=ezV2D37Qn zXCOb>FvGP>U)Bg$jk2gln3To3kXC9u_fs_|<`O*iJGCNT57wJ7{HAMD<7ju*F1S+t zQQJ^wI5jPC`Hcm(ZdqPZ|BFW6<#tt_tMD0pQ!!NLfCEo!B3TwRjwbM}j|`Z;^c--_ zjEL1Tjjvvmu%%RRtFTMTNYqL=aViojeySR);NU*|ZrUdeR{QdUnZUOnI&th~QY0p9 z`Wz%?s=68N%kPaUR)f@GGC0Ii*P{t5mk@6HQmsZNFchtwEOUi$_TyembybMps9L_Rnb%U=pf$vvB++u}_Vgg(mzyUykE>7d#(Zrb!+TalED2O` zJVKVsCrP!?UB2m{uzhmO?a3hQe_@?*^8V2J#w|=zs0=}T1}eHf(LS(M_OxUR{%Z)A zQ?}a1o-|W%bAl2p93u)#JB%YWvufQLSUYE!XuL!o#x~gEWk*MXb9r^v8H*dru)=y| ziO~XozldWtk&=piWI@k61h%aO^DjK?{C&61-}}4sBS_ylKaJ$?&R=Y~DQB&= zkq)c9X$u*|Vn(m*t}DTkW4HYy^VE!=>|IQJbhJ|clcLP1PoHezh{c#qUnNY!U^+K8 z_UbU>2L4EU!uZ|?uqo#!%UWQCXJt_}kkZ-~>`+s=N|mgg)p(vn)&3G&AD-tWdu-+R z1buz3T+NUpoFW(KU2rpDQSc=h<;guYmx`(n)fl2w5 z^s|AcFq@Vo7j-;xzDPz2b*rQIaa&XQj|*$TOq5-e$U<|NeMi|-)|`%_#D`#@K1pEs z>`ZFa6MBh!MhSni<}kKku*Vui9{BaDCu|dpM(^o_Z`J&!J|SvyZXwi{oZJ)7U>AkN zG)b5-E}S?ab=j$GMUDnlpD9*W4q-JxJPHwb2a?QIh25m>bJsFbcKcl30vJgX4+ENR z#p+6b(Lwiic&aeNq929au9 zOceESix2_qbPbk1cCv~W<2vY`j}e2ADC@dt5EPw>!CAEL_yF<573!=6`jzG)B#L|1Ew&Bd@xwszKMg~ z!0kw5`~cPaSbOVBAYLLiuHT84)F*5!X*Od>&Rml|eS~Xe)#t4Nt}!wtd`MaJUot9n zpOG=`!U&>KjtU4$)Jya%wK|im)RR8R>6M|KaA2yDS*k*)`bcZGgBdijUzPCP&gC^J z62OCu(nbcWO3KM53)moLi___6<~w;*6i69+S++ zsdspGJ8dGFqKMZ>TQMqAA0<{4_C#0W(*@0PynGQc8H)>G$Beeuo>>lwlsoQ6FolK; zgd#CPbCT)CdL)5HQ5i+`*{?enJ^dn>|;|sg%M?$cR z1pMk7D72qt(9#U3Bx<0~Xp($ifZz`Q=rFHw<064VF%a z+f>U)&0MMaK?a7`CrkV$odHsDwSgS7&qqG#uDEW9#~jt;NND|0X%K?ZXE zMWFL5fmXrZw-Q#Ar2lqaWc0i9qaNJNi&K8I5m5bTBu2d6Qwy z?C#sJ4|_xC!3>ejj7*6s>KUYTWgf5bI=|~BKp-fnpn9?GHi!Mpc^;Z^*tDM99vph$ zc->%7zku~R>sfCKo~LjY>7L=!Vwhqvkxa@%U#a7iy4E>oa@yIi;s2hhd3(2uv8N2+lrOBM3)BB4hC7amjDMpV?!me`%JGF019TlMb9zQ%wlenFw zUHm;uLy!i}(l-02|DL5?JWQ0lC7%CHL_Gi!7rF%gCjNMsD0NFb`FMviwaf znL+|+18Lg#5#@ZPZ;A8w5`oiu$o}7npxHLYRp;nd!B5g>;|I{s5wzOZ4~}<0kv3-@ z)Gl)y>Ew?{;kS{{z)rs0{EC!+r+r5c`Jv}h1Gf)v?0&x@&~89f(7jOS#jh)374&!l zL_7x)@3Qe1QI2HrmZ*6z5qOOep8Za|%|>c_3?z!bcpDXDQ#@{gFxh)(_q#|BXdk+b zWb=C@be!8rXh7|Ye`}Z1M+R^LX`J`vmm0LXSQvUr_Rsu+7G^3z0?+XMXMv{H{}W2k z%LiLGeA_zfKU#+iBt_g-X8Kp_)R&&xHnjZt{q@cCkec$h{o2y(98AO~062pMBu=|K!h55Hc z`Fn}DV5bv?zZ37@OY*RSWbMXX|MWNvS4=ySh@b$8S>{273RDAVbwm^ zTMBM#oA5_%&44Wi{U~+PTluTD{h$_uh}5+YRs`*~B8-3Jujw{_Xn>KvpMO`x;bD!1 vw;JQ`(bx`vnpB8d85N$;t! literal 0 Hc-jL100001 diff --git a/tests/ips-state-1/test.rules b/tests/ips-state-1/test.rules new file mode 100644 index 000000000..1812fb124 --- /dev/null +++ b/tests/ips-state-1/test.rules @@ -0,0 +1,2 @@ +pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;) +drop ip any any -> any any (msg:"DROP ALL"; flow:stateless; sid:2;) diff --git a/tests/ips-state-1/test.yaml b/tests/ips-state-1/test.yaml new file mode 100644 index 000000000..7dce2b00e --- /dev/null +++ b/tests/ips-state-1/test.yaml @@ -0,0 +1,45 @@ +requires: + min-version: 6 + +args: +- -k none --simulate-ips + +checks: +- filter: + # We should see 2 http transactions as the pass rule should allow http + # flows. + # + # This fails. + count: 2 + match: + event_type: http + +- filter: + # There should be no alerts for http. + count: 0 + match: + event_type: alert + app_proto: http + +- filter: + # There should be 2 http flow events without alerts. + count: 2 + match: + event_type: flow + app_proto: http + flow.alerted: false + +- filter: + # We should see NO drops (or alerts) for http + count: 0 + match: + event_type: alert + app_proto: http + +- filter: + # There should be one tls flow that is alerted + count: 1 + match: + event_type: flow + dest_port: 443 + flow.alerted: true -- 2.47.2